Stealing by the numbers

March 02, 2005

CHOICEPOINT Inc. makes a lot of money helping clients learn all kinds of sensitive information about virtually every adult in this country. But it failed to learn the truth about some of its own clients. As a result, at least 145,000 Americans - and perhaps as many as 500,000 - were made vulnerable to this nation's top fraud, identity theft.

This scandal is an eye-opener to the threats posed by unregulated data aggregators. Such firms sell to marketers, employers and landlords a wealth of data gathered from endless computer databases - including Social Security and credit card numbers and employment, property and legal records.

ChoicePoint claims to have 19 billion items of data on more than 220 million Americans. It also says it vets its customers. But in October, it told authorities it had been scammed by con men posing as legitimate businesses to obtain reports. This is coming out now because ChoicePoint only last month finally sent out warning letters to potential victims - a delay the company says was requested by investigators.

If ChoicePoint were a state motor vehicle agency, a credit-reporting company or a financial or medical institution, federal laws would strictly control its data dispersion. But data brokers largely fall through the cracks. The nation is fortunate that this scandal originated in California, the only state requiring notice to individuals if their data is improperly released. Indeed, ChoicePoint at first sent letters to only 35,000 Californians - and then later decided to tell the more than 100,000 potential victims living elsewhere.

Such breaches are becoming common; Bank of America last week said it lost backup tapes bearing financial data on 1.2 million customers. But the ChoicePoint scandal is now driving calls for federal oversight of data brokers, which - even ChoicePoint agrees - is sorely needed. Such new controls ought to include stiff financial penalties for improper releases, the only way to ensure that aggregators adequately protect sensitive data.

Meanwhile, legislators in Maryland - where ChoicePoint says it has sent nearly 3,000 notices - should support this session's bills to prevent the widespread use of Social Security numbers as personal identifiers (vetoed by the governor last year) and to force police agencies to take identity-theft reports. A state bill requiring notice of improper releases, as in California, died last session and ought to be resurrected.

America's identify theft epidemic - with an estimated 10 million victims a year - is a negative sign of the times. Such frauds can do damage for years. Data brokers aren't the only targets of identity thieves, but they're obviously attractive. This is an industry ripe for federal and state controls.